CVE-2026-41231
Published:April 23, 2026
Updated:April 26, 2026
Froxlor is open source server administration software. Prior to version 2.3.6, "DataDump.add()" constructs the export destination path from user-supplied input without passing the "$fixed_homedir" parameter to "FileDir::makeCorrectDir()", bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes "chown -R" on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.
Affected Packages
https://github.com/froxlor/froxlor.git (GITHUB):
Affected version(s) >=0.9 <2.3.6Fix Suggestion:
Update to version 2.3.6froxlor/froxlor (PHP):
Affected version(s) >=dev-backup-feature <2.3.6Fix Suggestion:
Update to version 2.3.6Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Link Resolution Before File Access ('Link Following')
EPSS
Base Score:
0.05
